Data breach mandatory notification for Australia

Varonis comments on the possibility of Australia falling in line with the USA and the EU with the introduction of compulsory declaration of data breaches

Data governance specialist Varonis Systems has welcomed news that the Australian government is contemplating a mandatory notification rule for any organization suffering a data breach.

David Gibson, Varonis’ Vice President of Strategy, said that the discussion paper issued by the Australian Attorney-General – which seeks comments on whether organizations should be required to report breaches, what kind of breaches should have to be reported, who should be notified, and what penalties should apply for failure to comply – is excellent news.

“The most important aspect of the proposed legislation, apart from the mandatory reporting requirement, is the naming and shaming of those organizations whose security negligence has resulted in customer data leaking out to the Internet and/or being stolen by cybercriminals,” he said.

“This will give ordinary citizens as well as third-party organizations a chance to learn about the data misdemeanors of Australian businesses and public sector agencies, and help them make a choice,” he added.

Gibson went on to say that as virtually every facet of our lives becomes digital, citizens begin to understand the need to protect their data as an asset, in the same way they protect money.

In many ways, he said, money and data are strongly linked, as personal data that is stolen or lost as a result of a data breach is now bought and sold on the identity theft marketplace.

Company data, meanwhile, is bought and sold for industry espionage and competition purposes, as its loss results in public embarrassment and regulatory fines for the organization involved.

The Internet, Gibson explained, has given rise to a new level of transparency and fluidity of information, where companies suffer the ignominy of being named, shamed, and fined and lose business as a result of a breach.

“This is why legislation such as that which is being proposed in Australia is so important. We hope that, if anything, the Australian government imposes strong penalties on the organizations whose carelessness results in a data breach.

“At the very least, this should prompt organizations who fail to protect their structured and unstructured data – perhaps by recklessly outsourcing to a free or low-cost cloud service provider without doing the necessary checks – to re-evaluate their data governance strategy,” Gibson said.